MCP Setup

Configure Rockfish MCP for different deployment scenarios.

Configuration File

Create a config.yaml:

# S3 credentials (optional)
s3:
  region: us-east-1
  # access_key_id: your-key
  # secret_access_key: your-secret
  # endpoint: localhost:9000  # For MinIO/R2

# Output settings
output:
  default_format: json
  max_rows: 1000
  pretty_print: true

# Data source mappings
sources:
  flow:
    path: s3://security-data/netflow/
    description: Network flow data
    require_license: true

  ip_reputation:
    path: /data/threat-intel/ip-reputation.parquet
    description: IP reputation scores

stdio Mode (Default)

For Claude Desktop or local tools.

Claude Desktop Configuration

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Linux: ~/.config/claude/claude_desktop_config.json

{
  "mcpServers": {
    "rockfish": {
      "command": "/path/to/rockfish-mcp",
      "env": {
        "ROCKFISH_CONFIG": "/path/to/config.yaml"
      }
    }
  }
}

HTTP/WebSocket Mode

For web applications and standard HTTP clients.

Quick Start

Generate self-signed certificate:
```
./generate-self-signed-cert.sh
```

Generate API key and hash:

API_KEY=$(openssl rand -base64 32)
echo "API Key: $API_KEY"
echo "Hash: $(echo -n "$API_KEY" | sha256sum | cut -d' ' -f1)"

Configure config.yaml:

tls:
  enabled: true
  http_mode: true
  bind_address: "0.0.0.0:8443"
  cert_path: "./certs/cert.pem"
  key_path: "./certs/key.pem"
  auth:
    api_keys:
      - name: "web-client"
        key_hash: "paste-hash-here"

Run the server:

ROCKFISH_CONFIG=config.yaml rockfish_mcp

Connect:

python examples/python_client_bearer_auth.py \
  --host localhost --port 8443 \
  --token "$API_KEY" --skip-verify

Plain HTTP Mode (Development)

For local development or behind a reverse proxy:

tls:
  enabled: true
  http_mode: true
  disable_tls: true  # No encryption
  bind_address: "127.0.0.1:8080"
  auth:
    api_keys:
      - name: "dev-client"
        key_hash: "your-hash-here"

Warning: Only use plain HTTP for local development or behind a TLS-terminating proxy.

TLS Server Mode

For custom integrations with raw TLS connections.

tls:
  enabled: true
  http_mode: false  # Raw TLS mode
  bind_address: "127.0.0.1:8443"
  cert_path: "./certs/cert.pem"
  key_path: "./certs/key.pem"
  auth:
    api_keys:
      - name: "production-client"
        key_hash: "your-key-hash-here"

License Validation

Require Parquet files to have valid Rockfish license metadata:

sources:
  # Any valid Rockfish license
  licensed_flows:
    path: s3://data/flows/
    description: Licensed network flow data
    require_license: true

  # Specific license IDs only
  enterprise_flows:
    path: s3://data/enterprise/
    description: Enterprise flow data
    require_license: true
    allowed_license_ids:
      - "lic_abc123"
      - "lic_def456"

  # No validation (default)
  public_data:
    path: /data/public/
    description: Public datasets

Rockfish Probe embeds license metadata in Parquet files:

rockfish.license.id
rockfish.license.tier
rockfish.license.customer_email
rockfish.license.issued_at

Environment Variables

Variable	Description
`ROCKFISH_CONFIG`	Path to config.yaml
`AWS_ACCESS_KEY_ID`	AWS credentials
`AWS_SECRET_ACCESS_KEY`	AWS credentials
`AWS_REGION`	AWS region

Testing

# Start server
ROCKFISH_CONFIG=config.yaml rockfish_mcp

# Test with curl (HTTP mode)
curl -X POST https://localhost:8443/mcp \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}'

Next Steps

Authentication - Secure your server
Tools & Queries - Query reference
S3 Configuration - Cloud storage setup

Keyboard shortcuts

Rockfish Documentation